selinux-policy/minimum_temp_fixes.te

policy_module(minimum_temp_fixes, 1.0)

require {
	type sshd_t;
	type lib_t;
	type init_t;
	type unconfined_t;
	type systemd_localed_t;
	type systemd_logind_t;
	type unconfined_service_t;
	type chkpwd_t;
	type bin_t;
	type fsadm_t;
	type getty_t;
	type systemd_tmpfiles_t;
	type systemd_systemctl_exec_t;
	type unconfined_dbusd_t;
	type rtkit_daemon_t;
	type system_dbusd_t;
	class dir mounton;
	class dbus { acquire_svc send_msg };
	class nscd { getgrp shmemgrp shmemhost shmempwd getpwd gethost getserv shmemserv };
	class process { execmem transition };
	class file { entrypoint execmod };
}

#============= chkpwd_t ==============
allow chkpwd_t unconfined_service_t:nscd { shmempwd getpwd };
files_map_var_lib_files(chkpwd_t)
files_read_var_lib_files(chkpwd_t)
files_write_generic_pid_sockets(chkpwd_t)

#============= fsadm_t ==============
allow fsadm_t unconfined_service_t:nscd { shmemgrp shmempwd };

#============= getty_t ==============
allow getty_t unconfined_service_t:nscd shmemgrp;
files_map_var_lib_files(getty_t)
files_read_var_lib_files(getty_t)
files_write_generic_pid_sockets(getty_t)

#============= init_t ==============
allow init_t bin_t:dir mounton;
allow init_t lib_t:dir mounton;
allow init_t self:process execmem;
allow init_t unconfined_service_t:dbus { acquire_svc send_msg };
allow init_t unconfined_service_t:nscd { gethost getserv shmemhost shmemserv shmemgrp shmempwd getpwd };
files_manage_generic_spool(init_t)
corenet_udp_bind_generic_node(init_t)
files_map_var_lib_files(init_t)
files_read_var_files(init_t)
files_manage_var_files(init_t)
storage_raw_read_removable_device(init_t)

#============= sshd_t ==============
allow sshd_t unconfined_service_t:nscd { shmemgrp shmemhost shmempwd getgrp getpwd };
files_exec_generic_pid_files(sshd_t)
files_map_var_lib_files(sshd_t)
files_read_var_lib_files(sshd_t)
files_write_generic_pid_sockets(sshd_t)
unconfined_server_dbus_chat(sshd_t)

#============= systemd_localed_t ==============
allow systemd_localed_t unconfined_service_t:dbus { acquire_svc send_msg };
files_write_generic_pid_sockets(systemd_localed_t)

#============= systemd_logind_t ==============
allow systemd_logind_t unconfined_service_t:dbus { acquire_svc send_msg };
allow systemd_logind_t unconfined_service_t:nscd { shmempwd getpwd };
files_map_var_lib_files(systemd_logind_t)
files_read_var_lib_files(systemd_logind_t)
files_write_generic_pid_sockets(systemd_logind_t)
systemd_dbus_chat_logind(systemd_logind_t)

#============= systemd_tmpfiles_t ==============
allow systemd_tmpfiles_t unconfined_service_t:nscd { getpwd getgrp shmemgrp shmempwd };
files_map_var_lib_files(systemd_tmpfiles_t)

#============= unconfined_service_t ==============
allow unconfined_service_t unconfined_t:process transition;
init_dbus_chat(unconfined_service_t)
unconfined_server_dbus_chat(unconfined_service_t)

#============= unconfined_t ==============
allow unconfined_t systemd_systemctl_exec_t:file entrypoint;
allow unconfined_t unconfined_service_t:nscd { shmemgrp shmempwd getgrp gethost getpwd getserv shmemhost shmemserv };

#============= unconfined_dbusd_t ==============
allow unconfined_dbusd_t unconfined_service_t:nscd { getgrp getpwd shmemgrp shmempwd };

#============= rtkit_daemon_t ==============
allow rtkit_daemon_t unconfined_service_t:nscd { getpwd shmempwd };

#============= system_dbusd_t ==============
allow system_dbusd_t unconfined_service_t:nscd { getgrp getpwd shmemgrp shmempwd };
Accepting request 734854 from home:jsegitz:branches:security:SELinux - Moved back to fedora policy (20190802) - Removed spec file conditionals for old SELinux userland - Removed config.tgz - Removed patches: * label_sysconfig.selinux.patch * label_var_run_rsyslog.patch * suse_additions_obs.patch * suse_additions_sslh.patch * suse_modifications_apache.patch * suse_modifications_cron.patch * suse_modifications_getty.patch * suse_modifications_logging.patch * suse_modifications_ntp.patch * suse_modifications_usermanage.patch * suse_modifications_virt.patch * suse_modifications_xserver.patch * sysconfig_network_scripts.patch * segenxml_interpreter.patch - Added patches: * fix_djbdns.patch * fix_dbus.patch * fix_gift.patch * fix_java.patch * fix_hadoop.patch * fix_thunderbird.patch * postfix_paths.patch * fix_nscd.patch * fix_sysnetwork.patch * fix_logging.patch * fix_xserver.patch OBS-URL: https://build.opensuse.org/request/show/734854 OBS-URL: https://build.opensuse.org/package/show/security:SELinux/selinux-policy?expand=0&rev=73 2019-10-04 04:15:03 +02:00			`policy_module(minimum_temp_fixes, 1.0)`

			`require {`
			`type sshd_t;`
			`type lib_t;`
			`type init_t;`
			`type unconfined_t;`
			`type systemd_localed_t;`
			`type systemd_logind_t;`
			`type unconfined_service_t;`
			`type chkpwd_t;`
			`type bin_t;`
			`type fsadm_t;`
			`type getty_t;`
			`type systemd_tmpfiles_t;`
			`type systemd_systemctl_exec_t;`
			`type unconfined_dbusd_t;`
			`type rtkit_daemon_t;`
			`type system_dbusd_t;`
			`class dir mounton;`
			`class dbus { acquire_svc send_msg };`
			`class nscd { getgrp shmemgrp shmemhost shmempwd getpwd gethost getserv shmemserv };`
			`class process { execmem transition };`
			`class file { entrypoint execmod };`
			`}`

			`#============= chkpwd_t ==============`
			`allow chkpwd_t unconfined_service_t:nscd { shmempwd getpwd };`
			`files_map_var_lib_files(chkpwd_t)`
			`files_read_var_lib_files(chkpwd_t)`
			`files_write_generic_pid_sockets(chkpwd_t)`

			`#============= fsadm_t ==============`
			`allow fsadm_t unconfined_service_t:nscd { shmemgrp shmempwd };`

			`#============= getty_t ==============`
			`allow getty_t unconfined_service_t:nscd shmemgrp;`
			`files_map_var_lib_files(getty_t)`
			`files_read_var_lib_files(getty_t)`
			`files_write_generic_pid_sockets(getty_t)`

			`#============= init_t ==============`
			`allow init_t bin_t:dir mounton;`
			`allow init_t lib_t:dir mounton;`
			`allow init_t self:process execmem;`
			`allow init_t unconfined_service_t:dbus { acquire_svc send_msg };`
			`allow init_t unconfined_service_t:nscd { gethost getserv shmemhost shmemserv shmemgrp shmempwd getpwd };`
			`files_manage_generic_spool(init_t)`
			`corenet_udp_bind_generic_node(init_t)`
			`files_map_var_lib_files(init_t)`
			`files_read_var_files(init_t)`
			`files_manage_var_files(init_t)`
			`storage_raw_read_removable_device(init_t)`

			`#============= sshd_t ==============`
			`allow sshd_t unconfined_service_t:nscd { shmemgrp shmemhost shmempwd getgrp getpwd };`
			`files_exec_generic_pid_files(sshd_t)`
			`files_map_var_lib_files(sshd_t)`
			`files_read_var_lib_files(sshd_t)`
			`files_write_generic_pid_sockets(sshd_t)`
			`unconfined_server_dbus_chat(sshd_t)`

			`#============= systemd_localed_t ==============`
			`allow systemd_localed_t unconfined_service_t:dbus { acquire_svc send_msg };`
			`files_write_generic_pid_sockets(systemd_localed_t)`

			`#============= systemd_logind_t ==============`
			`allow systemd_logind_t unconfined_service_t:dbus { acquire_svc send_msg };`
			`allow systemd_logind_t unconfined_service_t:nscd { shmempwd getpwd };`
			`files_map_var_lib_files(systemd_logind_t)`
			`files_read_var_lib_files(systemd_logind_t)`
			`files_write_generic_pid_sockets(systemd_logind_t)`
			`systemd_dbus_chat_logind(systemd_logind_t)`

			`#============= systemd_tmpfiles_t ==============`
			`allow systemd_tmpfiles_t unconfined_service_t:nscd { getpwd getgrp shmemgrp shmempwd };`
			`files_map_var_lib_files(systemd_tmpfiles_t)`

			`#============= unconfined_service_t ==============`
			`allow unconfined_service_t unconfined_t:process transition;`
			`init_dbus_chat(unconfined_service_t)`
			`unconfined_server_dbus_chat(unconfined_service_t)`

			`#============= unconfined_t ==============`
			`allow unconfined_t systemd_systemctl_exec_t:file entrypoint;`
			`allow unconfined_t unconfined_service_t:nscd { shmemgrp shmempwd getgrp gethost getpwd getserv shmemhost shmemserv };`

			`#============= unconfined_dbusd_t ==============`
			`allow unconfined_dbusd_t unconfined_service_t:nscd { getgrp getpwd shmemgrp shmempwd };`

			`#============= rtkit_daemon_t ==============`
			`allow rtkit_daemon_t unconfined_service_t:nscd { getpwd shmempwd };`

			`#============= system_dbusd_t ==============`
			`allow system_dbusd_t unconfined_service_t:nscd { getgrp getpwd shmemgrp shmempwd };`